CVE-2024-12029: A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/i
highvulnerability
security
Summary
InvokeAI versions 5.3.1 through 5.4.2 contain a remote code execution vulnerability (the ability for attackers to run commands on a system they don't own) in the model installation API. The flaw comes from unsafe deserialization (converting data back into usable code without checking if it's trustworthy) of model files using torch.load, which allows attackers to hide malicious code in model files that gets executed when loaded.
Solution / Mitigation
This issue is fixed in version 5.4.3. Users should update to version 5.4.3 or later.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 49.1%
Classification
Attack Type
Model Poisoning
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-12029
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 92%